security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1136/T1136.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

59 lines
2.1 KiB
Markdown
Raw Blame History

# T1136 - Create Account
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
<blockquote>Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
The <code>net user</code> commands can be used to create a local or domain account.
Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
Platforms: Linux, macOS, Windows
Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs
Permissions Required: Administrator</blockquote>
## Atomic Tests
- [Atomic Test #1 - Create a user account on a Linux system](#atomic-test-1---create-a-user-account-on-a-linux-system)
- [Atomic Test #2 - Create a user account on a MacOS system](#atomic-test-2---create-a-user-account-on-a-macos-system)
<br/>
## Atomic Test #1 - Create a user account on a Linux system
Create a user via useradd
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
#### Run it with `bash`!
```
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
```
<br/>
<br/>
## Atomic Test #2 - Create a user account on a MacOS system
Creates a user on a MacOS system with dscl
**Supported Platforms:** macOS
#### Run it with `bash`!
```
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink